b'                         u.s. SM.AlLBUSINESS ADMINISTRATION\n                             OFFICE OF INSPECTOR GENERAL\n                                  AUDITING DIVISION\n\n\n\n                                                                 AUDIT REPORT\n                                                       Issue Date: November 14, 2008\n\n                                                       Number: 9-03\n              7               \'\n\nTo:           .Sandy K. Baruah\n               Acting Adminfstrator\n\n               Jennifer Main\n               ChiefFinancial Of\xc2\xbb.cer\n             [F()1;.P. e;r.,l...P" ___-J\nFrom:           tre~Ritt\n              . Assistant Inspector General for Auditing\n\nSubject:          Audit of SBA\'jl FY 2008 Financial Statements\n\n\n         Pursuant to the CbiefFinancial Officer\'s Act of 1990. attached are the Independent\n Auditors\' Report and accompanying reports on internal control and compliance with laws\n  and regulations issued by KPMGLLP for the fiscal year ending September 30, 2008. The\n  audit was performed under a contract with the Office of Inspector General (OIG) and in\n  accordance with Generally Accepted Government Auditing Standards; Office of\n  M~elllerit and Budget\'s (OMB) BUlletin 07~04. Audit Requirements for Federaf\n  Financial Statements, as amended; the Government Accountability Office\n  (GAO)lPresident\'s Couricil on IntegritY and Efficiency (peIE) Financial Audit Manual; and\n. GAO\'s Federal In[ormation System Controls Audit Manual.\n\n          The KPMG report concluded that SBA\'s consolidated financial statements presented\n fairly, in all material respects, the fmancial position of SBA as of and for the years ended\n September 30,2008 and 2007. It also presented fairly. in all material respects, SBA\'s net\n costs, changes in net position, and combined statements of budgetary resources for the years\n then ended.\n\n         With respect to internal control over financial reporting, KPMG continued to report\n a significant deficiency related to Infonnation Technology controls; but did not consider this\n deficiency to be a material weakness. KPMG noted that SBA made progress in several\n areas in its efforts to address prior year Information Technology internal control\n deficiencies. However, despite these improvements, deficiencies continue to exist for\n security access controls, so:ftWare program changes, and end-user computing. Details\n regarding this significant deficiency are discussed more in Exhibit 1 of the Independent\n Auditors\' Report.\n\x0c            KPMG\'s test for compliance with certain laws, regulations, contracts and grant    ~\n     agreements disclosed no instances ofnoncompliance or other matters that are required to be\n     reported under Government Auditing Standards, and Bulletin 07-04, as amended.\n\n              We provided a draft ofKPMG\'s report to SBA\'s Chief Financial Officer (CFO),\n      who con6urred with its ftndings and recommendations and agreed to implement the\n,\'. \xc2\xb7~\xc2\xb7reco1lln1endations. the:cFcfis delight~i:hat SBA has again reeeivedan Unquatifled\n      audit opinion with no reported material weaknesses and believes these results accurately\n      refIecftfi~ quality of the Agency\'s financial statements and its improved accounting, \'\n      b~getilig and reporting processes.\n\n        \xe2\x80\xa2    We reviewed a copy ofKPMG\'s report and related documentation and made\n      necessary inquiries of their respective representatives. Our review was not.intended to\n      enable uS to express, and we do not express, an opinion on the SBA\'s financial statements,\n      KPMG\'s conclusions about the effectiveness ofintemal control, or its conclusions about\n      SBA\'s compliance with laws and regulations. However, our review disclosed no instances\n      where ~MG did not comply, in all material respects, with Generally Accepted Government\n      Auditing Standards.\n                              _.\n              We appreciate the cooperation and assistance ofSBA and KPMG. Should you or\n      your staff have any questions, please contact me at (202) 205Lfx. -z...Jor Jeffrey R. Brindle,\n    . Director, Information Technology and Financial Management Group at (202) 205{\xc2\xa3x 2.:1\n\n    \xc2\xb7.Attae~ts\n\x0c                              KPMG LLP\n                              2001 M Street, NW\n                              Washington, DC 20036\n\n\n\n\n                                          Independent Auditors\xe2\x80\x99 Report\n\n\nOffice of Inspector General\nU.S. Small Business Administration:\n\nWe have audited the accompanying consolidated balance sheets of the U.S. Small Business Administration\n(SBA) as of September 30, 2008 and 2007, and the related consolidated statements of net cost, changes in\nnet position, and combined statements of budgetary resources (hereinafter referred to as \xe2\x80\x9cconsolidated\nfinancial statements\xe2\x80\x9d) for the years then ended. The objective of our audits was to express an opinion on\nthe fair presentation of these consolidated financial statements. In connection with our fiscal year 2008\naudit, we also considered SBA\xe2\x80\x99s internal controls over financial reporting and tested SBA\xe2\x80\x99s compliance\nwith certain provisions of applicable laws, regulations, contracts, and grant agreements that could have a\ndirect and material effect on these consolidated financial statements.\n\nSUMMARY\n\nAs stated in our opinion on the consolidated financial statements, we concluded that SBA\xe2\x80\x99s consolidated\nfinancial statements as of and for the years ended September 30, 2008 and 2007, are presented fairly, in all\nmaterial respects, in conformity with U.S. generally accepted accounting principles.\n\nOur opinion emphasized that the current economic conditions give rise to risks associated with the\nuncertainty of future events and actual losses to the agency will be dependent upon future economic and\nmarket conditions.\n\nOur consideration of internal control over financial reporting resulted in the following condition being\nidentified as a significant deficiency:\n\n\xe2\x80\xa2   Improvement Needed in Information Technology (IT) Controls\n\nHowever, we did not consider this significant deficiency to be a material weakness.\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant\nagreements disclosed no instances of noncompliance or other matters that are required to be reported under\nGovernment Auditing Standards, issued by the Comptroller General of the United States, and Office of\nManagement and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial\nStatements, as amended.\n\nThe following sections discuss our opinion on SBA\xe2\x80\x99s consolidated financial statements; our consideration\nof SBA\xe2\x80\x99s internal control over financial reporting; our tests of SBA\xe2\x80\x99s compliance with certain provisions\nof applicable laws, regulations, contracts, and grant agreements; and management\xe2\x80\x99s and our\nresponsibilities.\n\n\n\n\n                                                                         1\n\n                                KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                member firm of KPMG International, a Swiss cooperative.\n\x0cOPINION ON THE FINANCIAL STATEMENTS\n\nWe have audited the accompanying consolidated balance sheets of SBA as of September 30, 2008 and\n2007, and the related consolidated statements of net cost, changes in net position, and the combined\nstatements of budgetary resources for the years then ended.\nIn our opinion, the consolidated financial statements referred to above present fairly, in all material\nrespects, the financial position of SBA as of September 30, 2008 and 2007, and its net costs, changes in net\nposition, and budgetary resources for the years then ended in conformity with U.S. generally accepted\naccounting principles.\n\nAs discussed in note 17 to SBA\xe2\x80\x99s financial statements, SBA continues to evaluate the risks posed by the\ncurrent market downturn on its direct loan and loan guaranty portfolios, but the impact of such future risks\ncannot be reasonably estimated at this time. Actual losses, if any, will largely depend on future economic\nand market conditions and could differ materially from SBA\xe2\x80\x99s current estimates.\n\nThe information in the Management Discussion and Analysis, Required Supplementary Information and\nRequired Supplementary Stewardship Information sections is not a required part of the consolidated\nfinancial statements, but is supplementary information required by U.S. generally accepted accounting\nprinciples and OMB Circular No. A-136, Financial Reporting Requirements. We have applied certain\nlimited procedures, which consisted principally of inquiries of management regarding the methods of\nmeasurement and presentation of this information. However, we did not audit this information, and\naccordingly, we express no opinion on it.\n\nINTERNAL CONTROL OVER FINANCIAL REPORTING\n\nOur consideration of the internal control over financial reporting was for the limited purpose described in\nthe Responsibilities section of this report and would not necessarily disclose all deficiencies in the internal\ncontrol over financial reporting that might be significant deficiencies or material weaknesses.\n\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect misstatements\non a timely basis. A significant deficiency is a control deficiency, or combination of control deficiencies,\nthat adversely affects SBA\xe2\x80\x99s ability to initiate, authorize, record, process, or report financial data reliably in\naccordance with U.S. generally accepted accounting principles such that there is more than a remote\nlikelihood that a misstatement of SBA\xe2\x80\x99s consolidated financial statements that is more than inconsequential\nwill not be prevented or detected by SBA\xe2\x80\x99s internal control over financial reporting. A material weakness\nis a significant deficiency, or combination of significant deficiencies, that results in more than a remote\nlikelihood that a material misstatement of the financial statements will not be prevented or detected by\nSBA\xe2\x80\x99s internal control.\n\nIn our fiscal year 2008 audit, we consider the deficiency described in Exhibit I to be a significant\ndeficiency in internal control over financial reporting; however, we do not believe the significant\ndeficiency described in Exhibit I is a material weakness. A summary of the status of the prior year\nsignificant deficiency, and management\xe2\x80\x99s response to our findings, is included as Exhibits III and IV,\nrespectively.\n\nWe also noted certain additional matters that we reported to SBA\xe2\x80\x99s management in a separate letter dated\nNovember 14, 2008.\n\n\n\n\n                                                        2\n\n\x0cCOMPLIANCE AND OTHER MATTERS\n\nThe results of our tests of compliance described in the Responsibilities section of this report, exclusive of\nthose referred to in the Federal Financial Management Improvement Act of 1996 (FFMIA), disclosed no\ninstances of noncompliance or other matters that are required to be reported herein under Government\nAuditing Standards or OMB Bulletin No. 07-04, as amended.\n\nThe results of our tests of FFMIA disclosed no instances in which SBA\xe2\x80\x99s financial management systems\ndid not substantially comply with (1) Federal financial management systems requirements, (2) applicable\nFederal accounting standards, and (3) the United States Government Standard General Ledger at the\ntransaction level.\n\n                                            * * * * *\n\nRESPONSIBILITIES\n\nManagement\xe2\x80\x99s Responsibilities. Management is responsible for the consolidated financial statements;\nestablishing and maintaining effective internal control; and complying with laws, regulations, contracts,\nand grant agreements applicable to SBA.\n\nAuditors\xe2\x80\x99 Responsibilities. Our responsibility is to express an opinion on the fiscal year 2008 and 2007\nconsolidated financial statements of SBA based on our audits. We conducted our audits in accordance with\nauditing standards generally accepted in the United States of America; the standards applicable to financial\naudits contained in Government Auditing Standards, issued by the Comptroller General of the United\nStates; and OMB Bulletin No. 07-04, as amended. Those standards and OMB Bulletin No. 07-04, as\namended, require that we plan and perform the audits to obtain reasonable assurance about whether the\nconsolidated financial statements are free of material misstatement. An audit includes consideration of\ninternal control over financial reporting as a basis for designing audit procedures that are appropriate in the\ncircumstances, but not for the purpose of expressing an opinion on the effectiveness of SBA\xe2\x80\x99s internal\ncontrol over financial reporting. Accordingly, we express no such opinion.\n\nAn audit also includes:\n\n\xe2\x80\xa2\t Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated\n   financial statements\n\n\xe2\x80\xa2\t Assessing the accounting principles used and significant estimates made by management\n\n\xe2\x80\xa2\t Evaluating the overall consolidated financial statement presentation.\n\nWe believe that our audits provide a reasonable basis for our opinion.\n\nIn planning and performing our fiscal year 2008 audit, we considered SBA\xe2\x80\x99s internal control over financial\nreporting by obtaining an understanding of the SBA\xe2\x80\x99s internal control, determining whether internal\ncontrols had been placed in operation, assessing control risk, and performing tests of controls as a basis for\ndesigning our auditing procedures for the purpose of expressing our opinion on the consolidated financial\nstatements. We did not test all internal controls relevant to operating objectives as broadly defined by the\nFederal Managers\xe2\x80\x99 Financial Integrity Act of 1982. The objective of our audit was not to express an\nopinion on the effectiveness of SBA\xe2\x80\x99s internal control over financial reporting. Accordingly, we do not\nexpress an opinion on the effectiveness of the SBA\xe2\x80\x99s internal control over financial reporting.\n\n\n\n\n                                                      3\n\n\x0cAs part of obtaining reasonable assurance about whether SBA\xe2\x80\x99s fiscal year 2008 consolidated financial\nstatements are free of material misstatement, we performed tests of SBA\xe2\x80\x99s compliance with certain\nprovisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a\ndirect and material effect on the determination of SBA financial statement amounts, and certain provisions\nof other laws and regulations specified in OMB Bulletin No. 07-04, as amended, including the provisions\nreferred to in Section 803 (a) of FFMIA. We limited our tests of compliance to the provisions described in\nthe preceding sentence, and we did not test compliance with all laws, regulations, contracts, and grant\nagreements applicable to SBA. However, providing an opinion on compliance with laws, regulations,\ncontracts, and grant agreements was not an objective of our audit, and accordingly, we do not express such\nan opinion.\n\n                                  ______________________________\n\nSBA\xe2\x80\x99s response to the findings identified in our audit report is presented in Exhibit IV. We did not audit\nSBA\xe2\x80\x99s response, and accordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of SBA\xe2\x80\x99s management, SBA\xe2\x80\x99s Office of\nInspector General, OMB, the U.S. Government Accountability Office, and the U.S. Congress, and is not\nintended to be, and should not be, used by anyone other than these specified parties.\n\n\n\n\nNovember 14, 2008\n\n\n\n\n                                                    4\n\n\x0c                                                                                                        Exhibit I\n                                      U.S. Small Business Administration \n\n                                             Significant Deficiency \n\n\n\n\n\n  The int~rnal control deficiency discussed in this report and the U.S. Small Business Administration\'s (SBA)\n;:,progress toward correcting it are discll.$sed in the context of SBA\'s organizationalstmcture and its ability to\n  ob@n funding tqtakeoorrective action. Exhibit I herein describes the control deficienCies, which collectively\xc2\xb7\n  resulted in the significant deficiency reported below, for the year ended. September. 30, 2008, and our\n  recommendations thereon. The status of prior year noncompliance and internal control\xc2\xb7<deficiencies are reported\n  in EXhibits II and III, respectively, and SBA management\'s response is presented in Exhibit IV.\n                             ---\t                                                        r\n\n\n\n (1) Improvement Needed in Information Technology (11) Controls\n\n During fiscal year 2008, we noted that SBA made progress in several areas in its efforts to address prior year IT\n internal control deficiencies. Despite these improvements, we also noted that deficiencies continued to exist in\n the <!!eas of security access controls, software program changes, and end-user computing.\n. Security Access Controls\n\n Integral to an organization\'s security program management efforts, technical security access controls for systems\n and applications should provide reasonable assurance that IT resources such as data files, application programs,\n and iT-related facilities/equipment are protected against unauthorized modification, disclosure, loss, or\n impairment.\n\n-A sum.mary of the security access control deficiencies we identified during the fiscal year2008 SBA fmancial\n statement audit follow:\n\n\n\n\n \xe2\x80\xa2 \t Neither OCIO nor DCMS officials were able to ensure that security vulnerability scans were consistently\n     performed for two DCMS devices physically located at SBA Headquarters. This issue was identified by the\n     SBA Office of Inspector General (OIG) during the OIG\'s annual Federal Informati\'on Security Management\n     Act (FISMA) evaluation.\n\n\n\n\n \xe2\x80\xa2 The OCIO does not appropriately control remote access authorizations. Specifically, remote access is not\n                                                                                                                 J\n   always requested and approved by the employees\' supervisor, and can be requested by the employees\n\n\n                                                       I-I \n\n\x0c                                                                                                        Exhibit I\n                                     u.s. Small Business Admiuistratiou\n                                             Significant Deficiency\n\n\n\n   themselves. Further,e~mail approvals from_.su\xc2\xa2.rvisorsarenotietained for.all remot~ acc~ss requests. As a .\n   result, controls over remote access authorization are more difficult to implement and validate.\n\n\xe2\x80\xa2 \t Validation of physical access to the data center\xc2\xb7JfSBA\'s headqUarters is not performed in accordance with\n    SBA Standard OPerating Procedure(SOP)90-47:2\',AutomatedmjOrmation Systems Security Program~ which\n    requires that a listing of authorized personnel for SBA computerfacilities (e.g., server rooms) be maintained\n    and access be revalidated at least quarterly.\n\n\xe2\x80\xa2 \t OCIO management is unable\'to provide reasonable assurance that electronic media is sufficiently sanitized\n    prior to disposal, in accordance with SOP 90-47.2. The SOP requires that (1) media must be sanitized prior to\n    disposal by using one of the three approved methods: overwriting, degaussing, or destruction, and (2) a log of\n    who completed the sanitation action must be maintained.\n\n\xe2\x80\xa2 \t OCIOmanagement was unable to provide reasonable assurance that access to the Loan Accounting System\n    (LAS) and Local Area Network (LAN)/wide Area Network (WAN) was periodically validated, in\n    accordance with National Institute of Standards and Technology (NIST) guidance and SOP 90-47.2.\n\nThese issues are consistent-with fmdingsidentified by the OIG in past years. In fact, the OIGhas identified IT\nsecurity as a serious SBA management challenge since at least fiscal year 2000.\n\nDespite these issues, SBA has made significantiwprpvements in recent years in the area of IT security, and there\nis commitment from the SBA to continue further improvements continue.\n\nRecommendations - Security Access Controls:\n\nWe recommend that the SBA OCIO coordinate with SBA program offices to:\n\n\n\n\n                                                                                                                ]\n3. \t Ensure the completion of more consistent vulnerability assessments to identifY and resolve potential\n     vulnerabilities, both within SBA offices and at service providers.\n\n\n\n\n                                                      1-2 \n\n\x0c                                                                                                         Exhibit I\n                                     U.S. Small Business Administration\n                                             Significant Deficiency\n\n\n\n4.\t Implement procedures to control the process for requesting and granting remote access and implement\n    procedures to retain the appropriate approval evidence for tracking and validation.\n\n5.\t Implement controls to comply with SOP 90-47.2 regarding the validation of physical access to the data\n    center.\n\n6.\t Implement controls to comply with SOP 90-47.2 regarding the sanitizing of media prior to disposal.\n\n7.\t Retain documentation supporting the validation of LAS and LAN/WAN system access in accordance with\n    NIST guidance and SOP 90-47.2.\n\nSoftware Program Changes\nThe primary focus of an organization\xe2\x80\x99s software change controls (which also encompasses patch management\nand configuration management efforts) is on controlling the software changes made to systems and applications\nin operation. Without such controls, there is a risk that security features could be inadvertently or deliberately\nomitted or turned off, or that processing irregularities or malicious code could be introduced into the IT\nenvironment.\n\nA summary of the software program change control deficiencies we identified during the fiscal year 2008 SBA\nfinancial statement audit follow:\n\xe2\x80\xa2\t The Office of Disaster Assistance (ODA) was unable to provide evidence that baseline configurations for the\n   DCMS were updated in a timely manner. This issue was also identified in fiscal year 2007, and SBA was still\n   in the process of implementing corrective actions during fiscal year 2008.\n\n\xe2\x80\xa2\t The OCIO was unable to provide evidence that (1) testing was performed for four of eight selected LAS\n   software changes, (2) approvals were made for two of eight selected LAS software changes, and (3) testing\n   and approvals were documented for three selected Electronic Transaction System (E-TRAN) software\n   changes.\n\n\xe2\x80\xa2\t The OCIO was unable to provide evidence that changes to the LAN/WAN were appropriately tracked,\n   approved, and implemented.\n\n\xe2\x80\xa2\t Ineffective software program change controls in the Joint Administrative and Accounting Management\n   System (JAAMS) directly led to duplicate payments in the amount of $11,205,608.\n\n\xe2\x80\xa2\t The Office of the Chief Financial Officer (OCFO) was unable to provide evidence that the software change\n   requests were consistently completed for JAAMS and the Financial Reporting Information System (FRIS).\n\n\xe2\x80\xa2\t The OCIO was unable to provide evidence that baseline configurations for LAS were updated in a timely\n   manner. Documented baseline configurations enable the process of tracking and controlling software\n   changes, especially as system security settings are changed.\n\n\xe2\x80\xa2\t The Office of the Chief Operating Officer (OCOO), in conjunction with SBA program offices, has not\n   documented segregation of duty procedures for LAS. Consequently, we could not validate that incompatible\n   software change duties were appropriately segregated. This issue was also identified in fiscal year 2007, and\n   SBA was still in the process of implementing corrective actions during fiscal year 2008.\n\n\n                                                      I-3 \n\n\x0c                                                                                                        Exhibit I\n                                     U.S. Small Business Administration\n                                             Significant Deficiency\n\n\n\nRecommendations \xe2\x80\x93 Software Program Changes:\n\nWe recommend the following:\n\n8.\t ODA management ensures the consistent application of controls and procedures to document the DCMS\n    baseline configuration.\n\n9.\t OCIO management consistently apply procedures for documenting software change testing results, testing\n    approvals, and final approvals. Specifically, such procedures and controls need to be consistently applied for\n    LAS, E-TRAN, and LAN/WAN.\n\n10. OCFO management consistently apply procedures for documenting software change testing results, testing\n    approvals, and final approvals for JAAMS and FRIS.\n\n11. OCIO management ensures the consistent application of controls and procedures to document the LAS\n    baseline configuration.\n\n12. OCOO, in conjunction with program offices, document and implement segregation of duty policies and\n    procedures for LAS.\n\nEnd-User Computing\nEnd-user computing tools/programs (e.g., spreadsheets and other user-developed programs) present the need for\na unique set of general control needs within an organization. By its nature, end-user computing brings the\ndevelopment and processing of information systems closer to the user. End-user computing capabilities typically\ninclude access to any end-user developed programs or objects, such as spreadsheets that contain critical\ndata/information. Critical data/information could include Personally Identifiable Information (PII) and financial\ndata. While this environment may not typically be subjected to the same level of rigor and structure as an IT\ngeneral controls environment, policies and procedures in this area are important to the overall IT environment.\nWe noted many SBA program offices, including the OCFO, Office of Capital Access, and Office of Human\nCapital Management, have not implemented end-user computing policies and procedures set forth and provided\nby the OCIO to identify, track, and protect end-user programs containing sensitive information.\n\nRecommendations \xe2\x80\x93 End-User Computing:\n\n13. We recommend that the OCIO reemphasize the importance to SBA program offices of controlling end-user\n    programs containing sensitive data, such as PII and financial data, in accordance with OCIO policy.\n\n\n\n\n                                                      I-4 \n\n\x0c                                                                                                        Exhibit II\n                                       U.S. Small Business Administration\n                                        Status of Prior Year Noncompliance\n\n\n\nFiscal Year 2007 Noncompliance                               Fiscal Year 2008 Status of Noncompliance\nDebt Collection Improvement Act of 1996 (DCIA)               The results of our tests of compliance with DCIA in\n                                                             fiscal year 2008 disclosed no instances in which SBA\nDuring our audit for fiscal year 2007, we noted that         is in substantial noncompliance with DCIA.\nSBA did not consistently follow Treasury guidelines\nwhen referring delinquent debts for collection in\naccordance with DCIA. Specifically, we noted that 47\nof 140 delinquent debt referral transactions tested were\nnot referred timely or were coded improperly in SBA\xe2\x80\x99s\nLoan Accounting System. These exceptions prompted\nSBA to examine if there were additional loans that\nwere improperly referred to Treasury. As a result of\nthis examination, management determined it did not\nrefer approximately 24,000 delinquent debts for\nTreasury in accordance with DCIA. SBA management\nbelieves that the issue stems from outdated standard\noperating procedures and a lack of clear instructions to\nfield offices regarding the referral of delinquent debt to\nTreasury. Towards the end of fiscal year 2007, SBA\nmanagement established revised protocols that provide\nclear instructions to field offices to ensure compliance\nwith DCIA.\n\n\n\n\n                                                         II-1\n\n\x0c                                                                                                   Exhibit III\n                                   U.S. Small Business Administration\n                                Status of Prior Year Significant Deficiency\n\n\nFiscal Year 2007 Findings                             Fiscal Year 2008 Status of Findings\n\n1. Improvement needed in management information During our review of SBA\xe2\x80\x99s information technology\n   technology security controls                 (IT) general and application controls, we noted\n                                                improvements in formalizing policies and procedures\n                                                over sanctioning contractors that don\xe2\x80\x99t complete\n                                                annual computer security awareness training,\n                                                increasing storage space for audit logs and retention of\n                                                the logs themselves, implementing day-to-day data\n                                                center employee responsibilities and end-user\n                                                computing user-level access control policies, and\n                                                finalizing Change Control Board Charter for\n                                                enterprise-wide changes. However, we continued to\n                                                identify opportunities for SBA to improve its internal\n                                                controls. The control deficiencies that continue to exist\n                                                are in the following areas: security access controls,\n                                                software program changes, and end-user computing.\n\n                                                      Therefore, in fiscal year 2008, the presentation of the\n                                                      issue was modified to reflect current year operations,\n                                                      and we continue to report a significant deficiency in\n                                                      internal controls as it relates to IT systems and their\n                                                      impact on the consolidated financial statements. See\n                                                      Exhibit I for additional information.\n\n\n\n\n                                                   III-1                                                         \n\n\x0c                                                                                  Exhibit IV\n\n\n                       U.s.   SMALL BUSINESS ADMINISTRATION\n                                WASHINGTON, D.C. 2.0,(16\n\n\n\n\nCFO Response to Draft Audit Report on FY 1008 Financial Statements\n\n\nDATE:          November 14, 2008\n                                ----\xc2\xad\nTO:            Debra   \xc2\xb7ruu.. Assi_~t 10 for Auditing\nFROM:          Jennifer Main, Chief Financial Offict:J   [V<. &]\nSUBJECT:       Draft Audit Report on FY 2008 Financial Statements\n\n".[J:u~ Small Business Administration is in receipt ofthe draft Independent Auditors\'\nReport from KPMG that includes the auditor\'s opinion on the financial statements and\nreview of the Agency\'s intemaLcontrol over financial-reporting and compliance with\nlawsanaregula:tions. The independent audit ofthe Agency\'s financial statements and\xc2\xad\nrelate~ processes is a core component ofSBA\'s financial management program..\n\nWe are delighted that the SBA has again received an unqualified audit opinion from the\nindependent auditor with no reported material weaknesses. Additionally, the report\nfound that SBA is in compliance with all applicable laws and regulations again this year.\nWe believe these results accurately reflect the quality of the Agency\'s financial\nstatements\'and our improved accounting, budgeting and reporting processes. As you\nknow, the SBA has worked hard over the past several years to address the many findings\nfrom our independent auditors. Our core :financial reporting data and processes have\nimproved substantially and we are proud that the results of our efforts have been\nconfinned by the independent auditor.\n\nThe audit report, however, includes a continuing significant deficiency in the SBA\'s\ninformation technology controls. While we appreciate the recognition in the report of the\nsubstantial progress tJ:ie SBA has made in this area, we are nonetheless disappointed that\nthe significant improvements we have made were not sufficient for the auditor to\neliminate this finding. During FY 2008. the SBA\'s Office of the Chief Information\nOfficer instituted several processes to strengthen information security controls and took a\nmultitude of corrective actions to address previous audit findings, closing 24 out of 41\nprevious findings. In addition, OCIO made significant progress on the SBA\'s\nManagement Challenges reported by our Inspector General, scoring green on two key\ncritical areas affecting service continuity controls and computer security training. We do,\nhowever, recognize that further improvements are needed in SBA\'s information\n\x0c                                                                                Exhibit IV\n\n\ntechnology controls, and the SBA is committed to taking all necessary action to eliminate\nthis significant deficiency in future audit reports.\n\nWe appreciate all of your efforts and those of your colleagues in the Office of the\nInspector General as well as those ofKPMG. The independent audit process continues to\nprovide us with new insights and valuable recommendations that will further enhance\nSBA\'s financial management practices. We continue to be committed to excellence in\nfinancial management and look forward to making more progress in the coming year.\n\x0c'